Command Line Option Vulnerability in Python's Webbrowser API
CVE-2026-4519

7HIGH

Key Information:

Vendor

Python Software Foundation

Status
Cpython
Vendor
CVE Published:
20 March 2026

What is CVE-2026-4519?

The webbrowser.open() API within Python has a vulnerability that allows URL inputs with leading dashes to be processed as command line options by certain web browsers. This issue can lead to unintended command execution. Although recent updates reject such inputs, it is recommended that users sanitize URLs thoroughly before passing them to the API to mitigate this risk. Developers should ensure that leading dashes are removed from URLs to maintain the integrity and security of their applications.

Affected Version(s)

CPython 0 < 3.13.13

CPython 3.14.0 < 3.14.4

CPython 3.15.0a1 < 3.15.0a8

References

https://github.com/python/cpython/pull/143931
patch
https://github.com/python/cpython/issues/143930
issue-tracking
https://mail.python.org/archives/list/security-announce@p...
vendor-advisory

CVSS V4

Score:
7
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
None
Attack Vector:
Local
Attack Complexity:
Low
Attack Required:
Physical
Privileges Required:
Undefined
User Interaction:
Unknown

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Seth Larson
Gregory P. Smith
.